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Abstract 

Transactional memory allows the user to declare sequences of instructions as speculative 
transactions that can either commit or abort. If a transaction commits, its effect appears 
executed sequentially, so that the committed transactions constitute a correct sequential 
execution. If a transaction aborts, none of its update instructions can affect other transac- 
tions. 

The popular criterion of opacity requires that the views of aborted transactions must 
also be consistent with the global sequential order constituted by committed ones. This 
is believed to be important, since inconsistencies observed by an aborted transaction may 
cause a fatal irrecoverable error or waste of the system in an infinite loop. Intuitively, an 
opaque implementation must ensure that no intermediate view a transaction obtains before 
it commits or aborts can be affected by a transaction that has not started committing yet, 
so called deferred-update semantics. 

In this paper, we intend to grasp this intuition formally. We propose a variant of opacity 
that explicitly requires the sequential order to respect the deferred-update semantics. We 
show that our criterion is a safety property, i.e., it is prefix- and limit-closed. Unlike opacity, 
our property also ensures that a serialization of a history implies serializations of its prefixes 
maintaining original "read-from" relations. Finally, we show that our property is equivalent 
to opacity if we assume that no two transactions commit identical values on the same 
variable, and present a counter-example for scenarios when the "unique-write" assumption 
does not hold. 



1 Introduction 

Resolving conflicts in an efficient and consistent manner is the most challenging task in concur- 
rent software design. Transactional memory (TM) (7|[l4j addresses this challenge by offering 
an interface in which sequences of shared-memory instructions can be declared as speculative 
transactions. The underlying idea, borrowed from databases, is to treat each transaction as an 
atomic event: a transaction may either commit in which case it appears as executed sequen- 
tially, or abort in which case none of its update instructions affect other transactions. The user 
can therefore design software having only sequential semantics in mind and let the memory take 
care of conflicts resulting from potentially concurrent executions. 

"The research leading to these results has received funding from the European Union Seventh Framework 
Programme (FP7/2007-2013) under grant agreement N 238639, ITN project TRANSFORM, and grant agreement 
N 248465, the S(o)OS project. 



In databases, a correct implementation of concurrency control should guarantee that com- 
mitted transactions constitute a serial (or sequential) execution jfj]. On the other hand, uncom- 
mitted transactions can be aborted without invalidating the correctness of committed ones. (In 
the literature on databases, the latter feature is called recoverability.) 

In the TM context, intermediate states witnessed by an incomplete transaction may affect 
the application through the outcome of its read operations. If the intermediate state is not 
consistent with any sequential execution, the application may experience a fatal irrecoverable 
error or sink in an infinite loop. The correctness criterion of opacity [4|[5] addresses this issue 
by requiring the states observed by uncommitted transactions to be consistent with a global 
serial execution constituted by committed ones (a serialization). 

An opaque TM implementation must, intuitively, ensure that no transaction can read from 
a transaction that has not started committing yet. This is usually referred to as the deferred- 
update semantics, and it was in fact explicitly required in some representations of opacity (3J. 
The motivation of this paper is to capture this intuition formally. 

We present a new correctness criterion called du- opacity. Our criterion defines the read- from 
relation for each read operation performed in a serial TM execution. Informally, a du-opaque 
(possibly, non-serial) execution must be indistinguishable from a totally-ordered execution, with 
respect to which no transaction reads from a transaction that has not started committing. 

We further show that our correctness criterion is a safety property, as defined by Owicky 
and Lamport [l , 13 , Alpern and Schneider [I] and refined by Lynch |12| . We show that du- 
opacity is prefix-closed: every prefix of a du-opaque history is also du-opaque. We also show 
that du-opacity is, under certain restrictions, limit-closed. More precisely, assuming that, in 
an infinite execution, every transaction completes (commits or aborts), the infinite limit of any 
sequence of ever extending du-opaque histories is also du-opaque. To prove du-opacity for such 
an implementation, it is thus sufficient to prove that all its finite histories are du-opaque. To 
the best of our knowledge, this paper contains the first non-trivial proof of limit-closure for a 
TM correctness property. We further show that any du-opaque serialization of a history implies 
a serialization of any of its prefixes that maintains the original read-from relations, which is 
instrumental in the comparison of du-opacity with opacity. 

Opacity, as defined in [HJ, reduces correctness of an infinite history to correctness of all 
its prefixes, and thus is limit-closed by definition. In fact, we show that extending opacity 
to infinite histories in a non-trivial way (i.e., requiring that even infinite histories should have 
proper serializations), does not result in a limit-closed property. We observe that opacity does 
not preclude scenarios in which a transaction reads from a future transaction (cf. examples in 
Figures [5] and [5J , and, thus, our criterion is strictly stronger than opacity. Surprisingly, this is 
true even if we assume that all transactional operations are atomic, which somewhat attenuates 
earlier attempts to forcefully introduce the deferred- update in the definition of opacity for atomic 
operations (3j. However, we show that opacity and du-opacity are equivalent if we assume that 
no two transactions try to commit identical values on the same data item. 

We believe that these results improve our understanding of the very notion of correctness 
in transactional memory. Our correctness criterion explicitly declares that a transaction is not 
allowed to read from an uncommitted transaction, and we conjecture that it is simpler to verify. 
We present the first non-trivial proof for both limit- and prefix-closure of TM histories, which 
is quite interesting in its own right, for it enables reasoning about possible serializations of an 
infinite TM history based on serializations of its prefixes. 

The paper is organized as follows. In Section [2j we introduce our basic model definitions 
and recall the notion of safety [I 12 13 . In Section [3j we define our criterion of du-opacity 
and show that it is, under certain restrictions, a safety property. In Section |4| we prove that 
du-opacity is a proper subset of the original notion of opacity [5j, and that it coincides with 
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du-opacity under the "unique-writes" condition. 

2 Model 

A Transactional Memory (in short, TM) supports atomic transactions for reading and writing 
a set of transactional objects (in short, t-objects). A transaction is a sequence of accesses (reads 
or writes) to t-objects; each transaction T k has a unique identifier k. 

A transaction T k may contain the following t- operations ; each being a pair of invocation and 
response events: 

1. read k {X) returns a value in some domain V or a special value A k ^ V {abort); 

2. write k(X,v), for a value »GF, returns ok k or A^; 

3. tryC k returns C k ^ V {commit) or A^; and 

4. iryylfc returns ^4fc. 

The read set (resp., the write set) of a transaction 7\, denoted Rset{T k ), is the set of t- 
objects that T k reads in H; the write set of T k , denoted Wset(Tfc), is the set of t-objects T k 
writes to in H. The data set of T fe is Dset{T k ) = Rset{T k ) U Wse£(T fc ). 

We consider an asynchronous shared-memory system in which processes communicate via 
transactions. A TM implementation provides processes with algorithms for implementing readk, 
writek, tryC k {) and tryA k {) of a transaction T k . 

A history of a TM implementation is a (possibly infinite) sequence of invocation and response 
events of t-operations. 

For every transaction identifier k, H\k denotes the subsequence of H restricted to events of 
transaction T k . If H\k is non-empty, we say that T k participates in H, and let txns{H) denote 
the set of transactions that participate in H. 

Two histories H and H' are equivalent if txns{H) = txns(H') and for every transaction 
T k e txns{H), H\k = H'\k. 

A history H is sequential if every invocation of a t-operation is either the last event in H or 
is immediately followed by a matching response. A history is well-formed if for all T k , H\k is 
sequential and has no events after A k or C k . We assume that all histories are well- formed, i.e., 
the client of the transactional memory never invokes a t-operation before receiving a response 
from the previous one and does not invoke any t-operation op k after receiving C k or A k . 

A transaction T k G txns{H) is complete in H if H\k ends with a response event. The history 
H is complete if all transactions in txns{H) are complete in H. 

A transaction T k G txns{H) is t-complete if H\k ends with A k or otherwise, T k is i- 
incomplete. T k is committed (resp., aborted) in i7 if the last event of T k is (resp., A k ). The 
history i7 is t-complete if all transactions in txns{H) are t-complete. 

For t-operations op k ,opj, we say that op^ precedes opj in the real-time order of denoted 
°Pfc °Pm, if the response of op k precedes the invocation of opj. 

For transactions T k ,T m G txns{H), we say that precedes T m in the real-time order of i?, 
denoted -<^ T T m , if is t-complete in H and the last event of T k precedes the first event 
of T m in H. If neither T k T m nor T m -<§ r T k , then and T m overlap in i7. 

A history H is t-sequential if there are no overlapping transactions in H. 

For simplicity of presentation, we assume that each history H begins with an "imaginary" 
transaction To that writes initial values to all t-objects and commits before any other transaction 
begins in H . 
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Let H be a t-sequential history. For every operation readk(X) in H, we define the latest 
written value of X as follows: 

1. If T/c contains a writek(X,v) preceding readk(X), then the latest written value of X is 
value of the latest such write to X. 

2. Otherwise, if H contains a write m (X,v), T m precedes Tk, and T m commits in H, then the 
latest written value of X is the value of the latest such write to X in H. (This write is 
well-defined since H starts with To writing to all t-objects.) 

A t-complete t-sequential history S is legal if every readk(X) in H that does not return A^, 
returns the latest written value of X. 

Definition 1. A property V is a set of (transactional) histories. A property V is a safety 
property if it satisfies the following two conditions J7||j^: 

1. Prefix-closure: every prefix H' of a history H £ V is also in V and 

2. Limit-closure: for any infinite sequence of finite histories H^^H 1 , . . . such that for all i, 
H l E V and H l is a prefix of H l+1 , the infinite history that is the limit of the sequence is 
also in V . 

Notice that the set of histories produced by a TM implementation M is prefix-closed. There- 
fore, every infinite history of M is the limit of an infinite sequence of ever-extending finite his- 
tories of M. Thus, to prove that M satisfies a safety property P, it is enough to show that all 
finite histories of M are in P. Indeed, limit-closure of P then implies that every infinite history 
of M is also in P. 



3 DU-Opacity 

In this section, we introduce our correctness criterion, du-opacity, and prove that a restriction 
of it is a safety property. 

Definition 2. Let H be any history. A completion of H , denoted H , is a history derived from 
H as follows: 

• for every incomplete t-operation opk of Tk G txns(H) in H , if opk = readk V writer, 
insert A\~ somewhere after the invocation of opt; else if opk = tryA k Q V tryC k Q, insert a 
matching response to opk somewhere after the invocation of opk- 

• for every complete transaction T k £ txns(H) , insert tryC k ■ A k somewhere after the last 
event of transaction T k . 

Now we define our correctness criterion. We begin with defining what it means for a trans- 
action to read from another transaction in a t-sequential legal history. 

Let S be a legal t-sequential history, and let <s be the total order on t-operations in S. 

Consider a read operation read k {X) in S that does not abort, i.e., which returns a value 
v £ V; its read-from transaction, denoted ps(readk(X)), is defined as follows: 

(1) If there is write^iX, v) performed by that is the latest write in T)% such that write^iX, v) <$ 
readk(X), then ps{readk{X)) = T/%. I.e., if the same transaction writes to X, then readk(X) 
is mapped to Tk- 
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Figure 1: A du-opaque history if; for any serialization S of H, ps(Ri(X) = T2) and ps{R^{X) = 
Ti) 

(2) Otherwise, ps(readk(X)) = T m , where T m is the earliest committed transaction in S that 
performs write m (X, v) such that T m <s Tk, and there is no committed transaction in S 
that performs writei(X,v'), v' 7^ v, such that T m <s T <s Tk- I.e., readk{X) is mapped 
to the earliest committed transaction writing the value it read, which is not overwritten. 

Definition 3. A history H is du-opaque if there is a legal t-complete t-sequential history S 
such that 

(1) for every pair of transactions Tk,T m £ txns(H), if Tk T m , then Tk <s T m , i.e., S 
respects the real-time ordering of transactions in H , and 

(2) there exists a completion of H that is equivalent to S, and 

(3) for each readk(X) in H that does not return Ak such that ps{readk{X)) = T m ; readk(X) -/<^f 

tr yCmO- 

We then say that S is a (du-opaque) serialization of H. Let seq(S) denote the sequence of 
transactions in S and seq(S)[k] be the k th transaction in this sequence. 

Figure [l] presents a du-opaque history H to illustrate the usage of the notion of a read- from 
transaction. Let S be the t-complete t-sequential history such that seq(S) = T2,T^,Ti,T4 : and 
5 is equivalent to H. It is easy to see that S is legal and respects the real-time order of H. By 
definition, ps{read\{X)) = T 2 since T<i is the earliest committed transaction in S that writes v 
to X. Then we observe that read\{X) tryC 2 {). For reack(X), ps{reaa\{X)) = T\. Further, 
ps{read^{X)) = T\ and read^iX) tryC x {). Thus, S is a du-opaque serialization of H. 

Now we show that du-opacity has an important property: every serialization of a du-opaque 
history yields a serialization for each of its prefixes that preserves the read-from relations of the 
original history intact. For a history H, let H l be the finite prefix of H of length i (consisting 
of the first i events of H). 

Theorem 1. Let H be a du-opaque history and S be a du-opaque serialization of H. For any 
i 6 N, there is a serialization S" 1 of H l , such that (1) seq{S l ) is a subsequence of seq(S) and (2) 
for every readk(X) in H l that does not return Ak, if ps(readk(X)) = T m , then p S i{readk{X)) = 
T 

Proof. Given H, S and H l , define a t-complete t-sequential history S l as follows: 

• for every t-complete transaction Tk in H l , S l \k = S\k. 

• for every complete transaction Tk in H l that is not t-complete, S l \ k consists of the sequence 
of events in H l \k, immediately followed by tryC k Q ■ Ak- 
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• for every transaction G txns{H l ) with an incomplete t-operation opk = readfcV write^ in 
H l , S l \k is the sequence of events in S\k up to the invocation of opk, immediately followed 
by A k . 

• for every transaction T^ G txns(H l ) with an incomplete t-operation op^ = tryC k () V 

^ifc = 5|fe. 

By construction, txns{S % ) C txns(S). We further require that seq(S l ) is a subsequence of 
seq(S). 

Since 5* is derived from events in H (some completion of H that is equivalent to S) , there 
is a completion of H l that is equivalent to S l , since S" 4 contains events from every complete 
t-operation in H l and other events included clearly conform to Definition [2] 

We now claim that S l is a serialization of H l . 

(1) Suppose, by way of contradiction, that for some pair of transactions Tj,T k G txns{H l ) } 
Tj -<^T Tfc, but ft st 2V But this implies that Tj since Tj,T k G txns(H)— 
contradiction. 

(2) Suppose, by way of contradiction, that S l is not legal, i.e., there is some read k (X) in H % 
that does not return the latest written value of X in S". There are two cases: 

• Suppose that there is writek(X, v) performed by T k that is the latest write in T k such 
that writek(X,v) readk(X). Then, if v is not the latest written value of X in 
S l , it is also not the latest written value of X in S, which is a contradiction. 

• Suppose that there is no writek(X, v) performed by T^. S is a serialization of H, thus 
we can consider transaction T m = ps(readk(X)), such that readt(X) y^^ T tryC m {). 
Hence, T m G txns{H % ). By construction of S l , T m G txns(S l ) and T m is committed 
in S l . By assumption, readk(X) returns v in H l such that v is not the latest written 
value of X in S 1 *. Hence, there exists a committed transaction Tj that performs 
write j(X,v');v' 7^ v in 5* such that T m < S i Tj < S i T^. But this is not possible since 
seq(S l ) is a subsequence of seq(S), contradicting the fact that T m = ps(readk(X)). 

Thus, S 1 is a legal t-complete t-sequential history equivalent to some completion of H l . 

(3) Suppose, by way of contradiction, that there is a readk(X) in H l such that ps(readk(X)) = 
T m , but p sl (read k (X)) / T m . T m G txns(H l ) since readk{X) -/^ tryC m (). By con- 
struction of S l , T m G txns(S % ) and T m is committed in S l . The only possibility is that 
there exists a committed transaction Tj G tnxs(H l ) that performs writej (X , v) such that 

< S i T m . However, this implies that Tj <$ T m i.e. T m is not the read-from transaction 
for readk(X) in S, which is contradiction. 

(4) The above argument implies that for every readk(X) in H l , if p S i(readk(X)) = T m , then 
read k (X) ^ff tryC m (). 

□ 

Theorem [l] immediately implies that du-opacity is prefix closed. 

Corollary 2. DU-Opacity is a prefix- closed property. 

We show now that, in general, du-opacity is not a limit-closed property by presenting an 
infinite history that is not du-opaque, but every prefix of it is du-opaque. 

Proposition 1. DU-Opacity is not a limit-closed property. 
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Figure 2: Each finite prefix of the history is du-opaque, but the infinite limit of the ever- 
extending sequence is not du-opaque 

Proof. Let H 3 denote a finite prefix of H of length j . Consider the infinite limit history H that 
is the limit of the histories H 3 defined as follows (see Figure [2| : 

- Transaction T\ performs a writei(X, 1) and then invokes tryCiQ that is incomplete in H. 

- Transaction T 2 performs a read 2 (X) that overlaps with tryCiQ and returns 1. 

- There are infinitely many transactions T$, i > 3, each of which performing a single readi(X) 
that returns such that each Tj overlaps with both T\ and T 2 . 

A t-complete t-sequential history S J is derived from the sequence T3, . . . , Tj, Tq,Ti in which 
(1) tryCiQ is completed by inserting C\ immediately after its invocation and (2) any incomplete 
readj(X) is completed by inserting Aj immediately after its invocation. It is easy to observe 
that S 3 is indeed a serialization of H 3 . 

However, there is no serialization of H. Suppose that such a serialization S exists. Since 
every transaction that participates in H must participate in 5, there exists n £ N such that 
seq(S)[n] = T\. Consider the transaction at index n + 1, say Tj in seq(S). But for any i > 3, Ti 
must precede T\ in any serialization (by legality), which is a contradiction. □ 

We next prove that du-opacity is limit-closed if we assume that, in an infinite history, every 
transaction eventually commits or aborts. 

The proof uses Konig's Path Lemma on a rooted directed graph, G. Let vq be the root 
vertex of G; a vertex of G, Vk, is reachable from vq, if there is a sequence of vertices vq . . . , 
such that for each i, there exists an edge from Vi to Uj+i. G is connected if every vertex in G 
is reachable from v$. G is finitely branching if every vertex in G has a finite out-degree. G is 
infinite if the set of vertices in G is infinite. 

Lemma 3 (Konig's Path Lemma [9]). If G is an infinite connected finitely branching rooted 
directed graph, then G contains an infinite sequence of vertices vq,Vi,... such that vo is the 
root, for every i > 0, there is an edge from Vi to Vi+i, and for every i 7^ j, Vi 7^ vj. 

Theorem 4. Under the restriction that in any infinite history H , every transaction £ 
txns(H) is t-complete, du-opacity is a limit-closed property. 

Proof. We are given an infinite sequence of finite histories H°, H l , . . . W, H t+1 , . . . such that for 
all i, H l is a prefix of if 1+1 . Let H be the corresponding infinite limit history. Assume that for 
all i, H % is du-opaque; we prove that H is also du-opaque. 
We construct a rooted directed graph Gh for H. 

(0) The root vertex of Gh is (H°, S°) where S° and H° contain the initial transaction To. 

(1) Each non-root vertex of Gh is a tuple (H l , S l a ), where S l a is some du-opaque serialization 
of H l . In the rest of this proof, when we refer to a specific S l , it is understood to be 
associated with the prefix H l of H. 
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(2) Let cseq^S 3 ), j > i, denote the subsequence of seq{S 3 ) reduced to t-complete transactions 
in H l . For every pair of vertices v = (H l ,S l ) and v' = (H i+ , S i+ ) in Gh, there is an 
edge from v to v' if cseq^S 1 ) = cseg i (S ,J+1 ). 

The out-degree of a vertex v = (H l ,S l ) in Gh is defined by the cardinality of the set 
of the possible serializations of H i+ . The out-degree is bounded by the number of possible 
permutations of the set txns(S l+1 ), implying that Gh is finitely branching. 

By Theorem [TJ given a serialization S l+1 of H t+1 , there exists a serialization S l of W 
such that seq[S l ) is a subsequence of seq(S l+1 ). Since seq(S t+1 ) contains every t-complete 
transaction in H % , cseq^S 1 ) = cseq^S^ 1 ). Therefore, for every vertex (H l+1 , S l+1 ), there is 
a vertex (WjS 1 ) such that cseq^S 1 ) = cseq i {S l+l ) . Therefore, we can iteratively construct a 
path from (H°, S°) to every vertex (H l , 5*) in Gh, implying that Gh is connected. 

We now apply Konig's Path Lemma to Gh- Since Gh is an infinite connected finitely 
branching rooted directed graph, we can derive an infinite sequence of non-repeating vertices 

C = (H°,S°),(H\S 1 ),...,(H\S 1 ),... 

such that cseq^S 1 ) = cseq^S^ 1 ). 

The rest of the proof explains how to use C to construct a serialization of H. We begin with 
the following claim concerning C. 

Claim 5. For any j > i, cseq^S 1 ) = cseq^S 3 ). 

Proof. From C, we have the following relations: cseq^S 1 ) is a prefix of cseq^S^ 1 ), and 
cseq i+1 (S l+1 ) is a prefix of cseq i+1 (S t+2 ). By definition, cseq^S^ 1 ) is a subsequence of 
cseq i+ i(S l+1 ) since every transaction that is t-complete in H %+1 is also t-complete in H i . 
Hence, cseq^S*) is a subsequence of cseq^i {S i+2 ). But, cseq i+ i (5* i+2 ) is a subsequence of 
cseq i+2 (S l+2 )- Thus, cseq^S 1 ) is a subsequence of cseq i+2 (S l+2 ). This argument can be ex- 
tended to show that for any j > i, cseq^S 1 ) is a subsequence of cseqj(S J ). By definition, 
cseq^S 3 ) is the subsequence of cseqj(S 3 ) reduced to t-complete transactions in H l . Thus, 
cseq^S 1 ) is indeed equal to cseq^S 3 ). □ 

Let / : N — > txns(H) be defined as follows: /(l) = To, For every integer k > 1, let 

i k = min{£ G N|Vj > I : cseq e {S E )[k] = cse qj (S j )[k]} 

Then, f(k) = cseq lk (S^)[k]. 

Claim 6. The function f is total and bijective. 

Proof. (Totality) Since each transaction T E txns(H) is t-complete in some prefix H % of H, 
there are i,k <E N such that cseg i (5' J )[A;] = T. By ClaimJHJ for any j > i, cseq^S 1 ) = cseq^S 3 ). 
Since every transaction that is t-complete in H l is also t-complete in H 3 , it follows that for 
every j > i, cseqj(S 3 )[k'] = T, with k! > k. 

Since T is t-complete in H, there is i, cseqi(S l )[k] = T, such that for transaction T' € 
txns(S l+l ) \ txns(S l ), T -^, H T T'. Since cseq^S 1 ) = cseqj(S J ) and T must precede T" in any 
serialization, for every j > i, cseqj(S J )[k] = T m . 

(Surjectivity) The above argument shows that for every T E txns(H), there are i, k, cseq^S 1 )^] = 
T, such that for every j > i, cseqj(S 3 )[k] = T. Thus, for every T £ txns(H), there is k such 
that f(k) = T. 

(Injectivity) Assume, by way of contradiction, that for some k ^ m, f(k) and f(m) are 
transactions at indices k, m of the same cseq^S 1 ), and that f(k) = f(m). Then f(k) is the 
transaction at index k in some cseq^S 1 ) and f{m) is the transaction at index m in some 
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cseqi(S e ). For every t > i and k < m, if cseq^S 1 )^] = T, then cseqi(S i )[m] ^ T since 
cseq^S 1 ) = cseq^S ). If £ > i and fe > m, it follows from the definition that /(A;) / f(m). 
Similar arguments for the case when £ < i, imply that f(k) ^ f(rn). □ 

By Claim [6j F = /(l), /(2), . . . , ... is an infinite sequence of transactions. Let 5 be a 
t-complete t-sequential history such that seq(S) = T and for each transaction T& £ txns(H), 
S\k = H\k. Clearly, S is equivalent to the t-complete history H. 

Let J 71 be the prefix of J- of length i, and S" be the prefix of S such that seq(S l ) = J- 1 . 

Claim 7. Let Hf be a subsequence of Hi reduced to transactions in S l such that each £ 
txns{S l ) is t-complete in fP . Then, for every i, there is j such that S l is a serialization of H\. 

Proof. Let H^ be the shortest prefix of H (from C) such that for each T £ txns(S % ), if 
seg(S' : ')[A;] = T, then for every f > j, seq(S J )[k] = T. From the construction of J 7 , such 
j and k exist. Also, we observe that txns(S l ) C txns(S J ) and J 7 * is a subsequence of seq(S J ). 
Using arguments similar to the proof of Theorem [lj it follows that S l is indeed a serialization 
affl?. □ 

Claim [7] completes the proof. □ 

From Corollary [2] and Theorem [4j we have: 

Corollary 8. Under the restriction that in any infinite history H , every transaction £ 
txns(H) is t-complete in H , du-opacity is a safety property. 

4 Comparison with Other TM Consistency Definitions 

In this section, we relate du-opacity with opacity, as defined by Guerraoui and Kapalka (5j. 
Note that the definition presented in (5] applies to any object with a sequential specification. 
For the sake of comparison, we restrict it here to TMs with read-write semantics. 

Definition 4 (Guerraoui and Kapalka [4|[5]). A finite history H is final-state opaque if there 
is a legal t-complete t-sequential history S, such that 

(1) S is equivalent to a completion of H (cf. Definition^, and 

(2) for any two transactions T^,T m £ txns(H), if T m , then <s T m . 
We say that S is a final-state serialization of H. 

Figure [3] presents a t-complete sequential history H, demonstrating that final-state opacity 
is not a prefix-closed property. H is final-state opaque, with T\ ■ T2 being a legal t-complete 
t-sequential history equivalent to H. Let H' = write\{X, 1), read2(X) be a prefix of H in which 
T\ and T2 are t-incomplete. By Definition [2j Tj (i = 1,2) is completed by inserting tryC i ■ A{ 
immediately after the last event of Tj in H. Observe that neither T\ - T<i nor T%-T\ are sequences 
that allow us to derive a serialization of H' (we assume that the initial value of X is 0). 

A restriction of final-state opacity, which we refer to as opacity, was presented in [5] by 
explicitly filtering out histories that are not prefix-closed. 

Definition 5 (Guerraoui and Kapalka [5]). A history H is opaque if and only if every finite 
prefix H' of H (including H itself if it is finite) is final-state opaque. 

Since final-state opacity is defined only for finite histories, we immediately have: 

Theorem 9. Opacity is a safety property. 
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H' ; H 

W(X, 1) tryC 1 -> Ci 

Ti | 1 H 1 

MX) -> 1 i 

T 2 I— I ' 1 i 

; tn/C 2 -> c 2 

Figure 3: History H is final-state opaque, while its prefix H' is not final-state opaque 
Ti I 1 1 1 

R 2 (X) -> 1 

-t2 



m W 3 (X, 1) tryC 3 -t- C 3 

T 3 I 1 1 1 

Figure 4: History is opaque, but not du-opaque 

4.1 DU-Opacity and Opacity: a separation 
Proposition 2. There is an opaque history that is not du-opaque. 

Proof. Consider the finite history H depicted in Figure |4j To prove that H is opaque, we 
proceed by examining every prefix of H. 

1. Each prefix up to the invocation of read,2(X) is trivially final-state opaque. 

2. Consider the prefix, H l of H where the i th event is the response of reaa\[X\ Let S i be a t- 
complete t-sequential history derived from the sequence T\ , T<i by inserting C\ immediately 
after the invocation of tryC±(). It is easy to see that S l is a final-state serialization of H l . 

3. Consider the t-complete t-sequential history S derived from the sequence Ti,T3,T% in 
which each transaction is t-complete in H. Clearly, S is a final-state serialization of H. 



Since H and every (proper) prefix of it are final-state opaque, H is opaque. 

Consider any possible final-state serialization S of H. Since T\ is aborted in H, ps(read,2(X)) = 
X3. But read,2(X) -<j^ tryC 3 () — contradiction. Thus, H is not du-opaque. □ 

Note that even under the restriction that every t-operation is sequential, there is an opaque 
history that is not du-opaque. Figure [5] describes a complete sequential history H that is opaque, 
but not du-opaque. No two overlapping transactions in H write identical values to the same 
t-object. Observe that every prefix of the history is final-state opaque. But there is only one 
final-state serialization S of the history, where seq(S) = Ti,T2,T$,T4 and read^(X) reads-from 
T3 in S. Since read±{X) -<^ T tryC 3 (), H is not du-opaque. 

Theorem 10. DU-Opacity C Opacity. 

Proof. We first claim that every finite du-opaque history is opaque. Let H be a finite du- 
opaque history. By definition, there exists a final-state serialization S of H. Since du-opacity 
is a prefix-closed property, every prefix of H is final-state opaque. Thus, H is opaque. 

By Corollary [2j every prefix of a du-opaque history is also du-opaque, hence, by Definition [5j 
every infinite du-opaque history is also opaque. □ 



10 



R<t(X) -> 1 RAY) -> 1 

T 4 I 1 1 1 

W 3 (Y, 1) 

Ti I 1 — I 4 T 2 I 1 1 H T 3 I 1 — | 1 — | H 

Wi(X, 1) tryG-L -> Oi VK 2 (X, 2) tryC 2 -> C 2 W 3 (X, 1) *n/C 3 -> C3 

Figure 5: History is opaque, but not du-opaque, even under the overlapping unique writes 
assumption 

Proposition [2] now establishes that du-opacity is indeed a restriction of opacity. 
Corollary 11. DU- Opacity C Opacity. 

A closer examination of the histories depicted in Figures [4] and [5] reveals interesting insights 
on the characteristics of opaque histories that are not du-opaque. Consider the history H 
depicted in Figure [4j Transaction T\ invokes tryC 1 () to update the t-object X, but returns 
A\ on observing an overlapping transaction T3 that also attempts to update X with the same 
value. Observe that read,2(X) reads- from transaction T\ in any serialization of the prefix H l 
of H denoting the response of read,2{X). However, its read-from transaction shifts to T3 in 
any serialization of H. The history H depicted in Figure [5] is also interesting because Ti 
overwrites the value of X written by T\ which subsequently is overwritten by T3 that writes 
the same value of X updated by T\. Looking at the prefix H l of H, where the i th event is the 
response of read^(X), read^(X) reads-from T\ in any serialization of H l , but reads- from T3 in 
any serialization of H. 

We formalize this observation with the following theorem. 

Theorem 12. A finite opaque history H is not du-opaque iff there exists a prefix H' of H and 
some readk(X) in H' , that does not return A^, such that for any final-state serialization S of 
H, if ps(readk(X)) = T m , there does not exist any final-state serialization S' of H' such that 
p S '{read k {X)) = T m . 

Proof. (=£•) Since H is opaque but not du-opaque, there exists a read^{X) in H such that 
ps{readk{X)) = T m , but the response v of readk(X) precedes the invocation of tryC m () in H. 
Now, let H' denote the prefix of H of length i where the i th event is the response of read^ (X) . 
Observe that T m is aborted in any final-state serialization S' of H' . Thus, there does not exist 
any S' such that ps>(readk(X)) 

(<=) From Theorem [TJ for every du-opaque history H and any du-opaque serialization S 
of H such that for any prefix H' of H, there exists a serialization S' of H' such that (1) 
seq(S') is a subsequence of seq(S) and (2) for every readk(X) in H' that does not return A^, 
if ps(readk(X)) = T m , ps>(readk(X)) = T m . Since every du-opaque serialization of a history is 
also its final-state serialization, the proof follows. □ 

4.2 DU-Opacity and Opacity: Equivalence 

We now show that du-opacity is equivalent to opacity assuming that no two transactions write 
identical values to the same t-object ("unique-write" assumption). 

Definition 6. We say that a property V is restricted under unique writes if P contains no 
history H, in which two transactions Tk,T m G txns(H) perform writek(X,v) and write m (X,v), 
respectively, such that v = v' . 

The following lemma is now immediate from Theorem [TJ 
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W 3 {X,1) 

T 3 I hi 



4 — h 



W 3 (Y,1) tryC 3 



H — h 



Wi(X, 1) trvOj 



H 2 (y) -> i 
H 1 



Figure 6: History is du-opaque, but not opaque by the definition in |3 

Lemma 13. Let H be a finite opaque history restricted to unique writes. Then, H is du-opaque. 

Proof. Let H be any finite opaque history restricted to unique writes and H' be any prefix 
of H. Let S be any final-state serialization of H. It is easy to see that there exists a final- 
state serialization S' of H' such that for every readk(X) in H' that does not return A^, if 
ps{readk{X)) = T m , then ps*{readk{X)) = T m . The lemma follows from Theorem[T] □ 

We can now prove the following theorem. 

Theorem 14. Under the restriction that in any infinite history H , every transaction £ 
txns(H) is t-complete in H and the restriction of unique writes, H G Opacity iff H £ DU- 
Opacity. 

Proof. By Definition [5| an infinite history H is opaque if every finite prefix of H is final-state 
opaque. Therefore, Theorem [4] and Lemma 13 imply that Opacity C DU-Opacity. The converse 



direction follows from Theorem 1101 □ 
4.3 Other definitions 

Explicitly using the deferred-update semantics in an opacity definition was first proposed by 
Guerraoui et al. [3] and later adopted by Kuznetsov and Ravi [To]. In both papers, opacity 
is only defined on sequential histories, where every invocation of a t-operation is immediately 
followed by a matching response. In particular, these definitions require the serialization to 
respect the read-commit order: if a t-read of a t-object X by a transaction precedes the 
tryC of a transaction T m that commits on X, then must precede T m in the serialization. 
But we observe that this definition is not equivalent to opacity even for sequential histories: 
Figure [5] depicts a counter-example. In fact the property defined in [3] is strictly stronger than 
du-opacity: the history in Figure [6] is du-opaque. We can derive a du-opaque serialization S for 
this history such that seq(S) = T\,T 3 ,T2- However, by the above definition, T2 must precede 
T3 in any serialization of this history since the response of R2(X) precedes the invocation of 
tryCaQ. In fact, many opaque TM implementations employing read validation within every 
t-read or tryC operation would export such a history. 

The recently introduced TMS2 correctness condition (2, 11 can also be thought of as an 



attempt to clarify opacity. TMS2 is a restriction of opacity that explicitly requires the seri- 
alization to respect the read-conflict order among transactions. Informally, two transactions 
conflict if they access the same t-object and at least one of them successfully commits to it. 
Then, TMS2 requires that if two transactions T\ and T2 conflict on t-object X such that 
X G Wset{T\) n Rset{T2) and tryC of T\ precedes the tryC of T2, then T\ must precede T2 
in any final-state serialization. Since our read-from relation is much less restrictive than the 
read-conflict order, we suspect that every history that is TMS2 is du-opaque, but not vice- versa. 
Indeed, Figure [7] depicts a history H that is du-opaque, but not TMS2. It is du-opaque since 
there exists a du-opaque serialization S of H such that seq(S) = T2,T\. However, H does not 
satisfy TMS2 since T\ must precede T2 in any t-sequential history equivalent to H, but this is 
not a final-state serialization of H. 
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Ti I 1 1 1 1 4 

i?l(X)->0 Wl(X, 1) tryCj -► Ci 

Ha(X) 

T 2 I 1 1 1 1 i 

W 2 (Y,1) tryC 2 ^C 2 



Figure 7: History is du-opaque, but not TMS2 [2] 



5 Discussion 



It is widely accepted that a correctness condition on a set of histories should be a safety prop- 
erty, i.e., should be prefix- and limit-closed. The definition of opacity proposed in [5] forcefully 
achieves prefix-closure by filtering out prefix-closed histories, and trivially achieves limit-closure 
by reducing correctness of an infinite history to correctness of its prefixes. In this paper, we 
proposed a correctness criterion that explicitly disallows reading from an uncommitted transac- 
tion, which ensures prefix-closure and (under the restriction that every transaction eventually 
commits or aborts) limit-closure. We believe that this constructive definition is useful to TM 
practitioners, since it streamlines possible implementations of t-read and tryC operations. More- 
over, it seems that du-opacity already captures the sets of histories exported by most existing 
opaque TM implementations. 

To the best of our knowledge, there is no prior work proving that any TM correctness 
property is a safety property in the formal sense. The argumentation in the proof of Theorem [4] 
is inspired by the proof sketch in 12 of the safety of linearizability (8j, but turns out to be much 



trickier due to the complicated "two-layer" structure of opacity. In this paper, we proved that 
du-opacity is a limit-closed property under the restriction that every transaction is t-complete 
(has no pending transactions) in the infinite limit history. It remains open whether we can 
prove limit-closure under the restriction that every transaction is just complete (has no pending 
t-operations) in the infinite limit history. 

Acknowledgements: The last author would like to thank Victor Luchangco for interesting 
discussions on opacity during PODC'12 and anonymous reviewers of WTTM'12 for comments 
on a nascent version of this paper. 
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